Merge remote-tracking branch 'origin/main' into preston/more-connections

# Conflicts:
#	README.md
#	skills/generic/latchkey/SKILL.md
#	skills/openclaw/latchkey/SKILL.md
#	src/serviceRegistry.ts
#	src/services/index.ts
#	tests/serviceRegistry.test.ts

Author: Preston Seay

README.md

@@ -440,5 +440,4 @@ override `config.json` values.
 Latchkey currently offers varying levels of support for the
 following services: AWS, Calendly, Discord, Dropbox, Figma, GitHub, GitLab,
 Gmail, Google Analytics, Google Calendar, Google Docs, Google Drive, Google Sheets,
-Linear, Mailchimp, Notion, Ramp, Sentry, Slack, Stripe,
-Telegram, Yelp, Zoom, and more.
+Linear, Mailchimp, Notion, Ramp, Sentry, Slack, Stripe, Telegram, Todoist, Yelp, Zoom, and more.

package-lock.json

@@ -58,7 +58,7 @@
     "node": ">=20"
   },
   "dependencies": {
-    "@imbue-ai/detent": "^1.6.0",
+    "@imbue-ai/detent": "^1.7.0",
     "@napi-rs/keyring": "^1.2.0",
     "commander": "^12.0.0",
     "playwright": "~1.60.0",

package.json

@@ -106,8 +106,7 @@ used to see how to provide credentials for a specific service.
 Latchkey currently offers varying levels of support for the
 following services: AWS, Calendly, Coolify, Discord, Dropbox, Figma, GitHub, GitLab,
 Gmail, Google Analytics, Google Calendar, Google Docs, Google Drive, Google Sheets,
-Linear, Mailchimp, Notion, Ramp, Sentry, Slack, Stripe,
-Telegram, Umami, Yelp, Zoom, and more.
+Linear, Mailchimp, Notion, Ramp, Sentry, Slack, Stripe, Telegram, Todoist, Umami, Yelp, Zoom, and more.
 
 ### User-registered services
 

skills/generic/latchkey/SKILL.md

@@ -98,8 +98,7 @@ used to see how to provide credentials for a specific service.
 Latchkey currently offers varying levels of support for the
 following services: AWS, Calendly, Coolify, Discord, Dropbox, Figma, GitHub, GitLab,
 Gmail, Google Analytics, Google Calendar, Google Docs, Google Drive, Google Sheets,
-Linear, Mailchimp, Notion, Ramp, Sentry, Slack, Stripe,
-Telegram, Umami, Yelp, Zoom, and more.
+Linear, Mailchimp, Notion, Ramp, Sentry, Slack, Stripe, Telegram, Todoist, Umami, Yelp, Zoom, and more.
 
 ### User-registered services
 

skills/openclaw/latchkey/SKILL.md

@@ -7,7 +7,11 @@ import { existsSync, statSync, unlinkSync } from 'node:fs';
 import { basename, join } from 'node:path';
 import { createInterface } from 'node:readline';
 import { ApiCredentialStore, ApiCredentialStoreError } from './apiCredentials/store.js';
-import { ApiCredentials, RawCurlCredentials } from './apiCredentials/base.js';
+import {
+  ApiCredentials,
+  ApiCredentialsUsageError,
+  RawCurlCredentials,
+} from './apiCredentials/base.js';
 import {
   CredentialsExpiredError,
   NoCredentialsForServiceError,
@@ -46,6 +50,8 @@ import {
   LoginCancelledError,
   LoginFailedError,
   NoCurlCredentialsNotSupportedError,
+  PrepareInputInvalidError,
+  PrepareNotSupportedError,
   Service,
 } from './services/index.js';
 import {
@@ -77,6 +83,7 @@ import {
   authList,
   authBrowser,
   authBrowserPrepare,
+  prepareService,
   UnknownServiceError,
   BrowserNotConfiguredError,
   PreparationRequiredError,
@@ -734,6 +741,50 @@ export function registerCommands(program: Command, deps: CliDependencies): void
       }
     });
 
+  authCommand
+    .command('prepare')
+    .description(
+      "Register a service's client details (e.g. an OAuth client id/secret) from a JSON payload, for use during login."
+    )
+    .argument('<service_name>', 'Name of the service to prepare')
+    .argument(
+      '<json>',
+      'Service-specific registration JSON, e.g. \'{"clientId":"...","clientSecret":"..."}\''
+    )
+    .addHelpText(
+      'after',
+      `\nExample:\n  $ latchkey auth prepare google-gmail '{"clientId":"<id>","clientSecret":"<secret>"}'`
+    )
+    .action(async (serviceName: string, json: string) => {
+      if (deps.config.gatewayUrl !== null) {
+        await forwardToGateway(deps, {
+          command: 'auth prepare',
+          params: { serviceName, json },
+        });
+        deps.log(`Done`);
+        return;
+      }
+      try {
+        const encryptedStorage = await createEncryptedStorageFromConfig(deps.config);
+        const apiCredentialStore = new ApiCredentialStore(
+          deps.config.credentialStorePath,
+          encryptedStorage
+        );
+        prepareService(deps.registry, apiCredentialStore, serviceName, json);
+        deps.log(`Done`);
+      } catch (error) {
+        if (
+          error instanceof UnknownServiceError ||
+          error instanceof PrepareNotSupportedError ||
+          error instanceof PrepareInputInvalidError
+        ) {
+          deps.errorLog(`Error: ${error.message}`);
+          deps.exit(1);
+        }
+        throw error;
+      }
+    });
+
   program
     .command('curl')
     .description('Run curl with API credential injection.')
@@ -810,7 +861,8 @@ export function registerCommands(program: Command, deps: CliDependencies): void
           error instanceof UrlExtractionFailedError ||
           error instanceof NoServiceForUrlError ||
           error instanceof NoCredentialsForServiceError ||
-          error instanceof CredentialsExpiredError
+          error instanceof CredentialsExpiredError ||
+          error instanceof ApiCredentialsUsageError
         ) {
           deps.errorLog(error.message);
           deps.exit(1);

src/cliCommands.ts

@@ -17,6 +17,7 @@ import {
   authList,
   authBrowser,
   authBrowserPrepare,
+  prepareService,
   UnknownServiceError,
   BrowserNotConfiguredError,
   PreparationRequiredError,
@@ -26,7 +27,12 @@ import {
   BrowserFlowsNotSupportedError,
   GraphicalEnvironmentNotFoundError,
 } from '../playwrightUtils.js';
-import { LoginCancelledError, LoginFailedError } from '../services/index.js';
+import {
+  LoginCancelledError,
+  LoginFailedError,
+  PrepareInputInvalidError,
+  PrepareNotSupportedError,
+} from '../services/index.js';
 
 const serviceNameParamsMessage = "missing required argument 'service_name'";
 const serviceNameParams = z.object(
@@ -68,12 +74,20 @@ const AuthBrowserPrepareRequestSchema = z.object({
   params: serviceNameParams,
 });
 
+const PrepareRequestSchema = z.object({
+  command: z.literal('auth prepare'),
+  params: serviceNameParams.extend({
+    json: z.string(),
+  }),
+});
+
 export const LatchkeyRequestSchema = z.discriminatedUnion('command', [
   ServicesListRequestSchema,
   ServicesInfoRequestSchema,
   AuthListRequestSchema,
   AuthBrowserRequestSchema,
   AuthBrowserPrepareRequestSchema,
+  PrepareRequestSchema,
 ]);
 
 export type LatchkeyRequest = z.infer<typeof LatchkeyRequestSchema>;
@@ -87,6 +101,8 @@ const KNOWN_ERROR_CLASSES: readonly (abstract new (...args: never[]) => Error)[]
   PreparationRequiredError,
   LoginCancelledError,
   LoginFailedError,
+  PrepareNotSupportedError,
+  PrepareInputInvalidError,
 ];
 
 function isKnownError(error: unknown): error is Error {
@@ -158,6 +174,14 @@ async function dispatch(
         deps.config,
         parsed.params.serviceName
       );
+
+    case 'auth prepare':
+      return prepareService(
+        deps.registry,
+        apiCredentialStore,
+        parsed.params.serviceName,
+        parsed.params.json
+      );
   }
 }
 

src/gateway/latchkeyEndpoint.ts

@@ -34,6 +34,7 @@ import {
   COOLIFY,
   UMAMI,
   RAMP,
+  TODOIST,
 } from './services/index.js';
 
 export class DuplicateServiceNameError extends Error {
@@ -162,4 +163,5 @@ export const SERVICE_REGISTRY = new ServiceRegistry([
   COOLIFY,
   UMAMI,
   RAMP,
+  TODOIST,
 ]);

src/serviceRegistry.ts

@@ -3,6 +3,7 @@
  */
 
 import type { Browser, BrowserContext, Page, Response } from 'playwright';
+import type { z, ZodTypeAny } from 'zod';
 import {
   ApiCredentialStatus,
   ApiCredentials,
@@ -38,6 +39,58 @@ export class LoginFailedError extends Error {
   }
 }
 
+/**
+ * Thrown when `latchkey auth prepare` is run for a service that does not declare a
+ * prepare schema (the base default — services opt in by setting one).
+ */
+export class PrepareNotSupportedError extends Error {
+  constructor(serviceName: string) {
+    super(
+      `Service '${serviceName}' does not support 'latchkey auth prepare'. ` +
+        `Use 'latchkey services info ${serviceName}' to see how to authenticate.`
+    );
+    this.name = 'PrepareNotSupportedError';
+  }
+}
+
+/**
+ * Thrown when the JSON passed to `latchkey auth prepare` is malformed or does not
+ * match the service's prepare schema. The whole command is rejected and
+ * nothing is stored.
+ */
+export class PrepareInputInvalidError extends Error {
+  constructor(serviceName: string, detail: string) {
+    super(`Invalid prepare input for '${serviceName}': ${detail}`);
+    this.name = 'PrepareInputInvalidError';
+  }
+}
+
+/**
+ * Validate a parsed JSON value against a service's prepare schema and build the
+ * resulting credentials. Centralizes validation so each service's
+ * `prepareFromJson` only expresses its schema and build step. Throws
+ * `PrepareInputInvalidError` (with the failing fields) on any schema mismatch;
+ * nothing is built unless the input fully validates.
+ */
+export function buildPreparedCredentials<Schema extends ZodTypeAny>(
+  serviceName: string,
+  schema: Schema,
+  parsedJson: unknown,
+  build: (validatedInput: z.infer<Schema>) => ApiCredentials
+): ApiCredentials {
+  const result = schema.safeParse(parsedJson);
+  if (!result.success) {
+    const detail = result.error.issues
+      .map((issue) => {
+        const path = issue.path.join('.');
+        return path ? `${path}: ${issue.message}` : issue.message;
+      })
+      .join('; ');
+    throw new PrepareInputInvalidError(serviceName, detail);
+  }
+  return build(result.data as z.infer<Schema>);
+}
+
 export function isBrowserClosedError(error: Error): boolean {
   const message = error.message.toLowerCase();
   return (
@@ -50,6 +103,22 @@ export function isBrowserClosedError(error: Error): boolean {
   );
 }
 
+/**
+ * Detects the Playwright/CDP error raised when a response body can no longer be
+ * retrieved (`Network.getResponseBody` reports "No resource with given
+ * identifier found"). This happens for responses that retain no readable body —
+ * redirects, evicted or cached resources, or bodies fetched after the page has
+ * navigated onward. Callers that read response bodies opportunistically should
+ * treat this as inconclusive rather than fatal.
+ */
+export function isResponseBodyUnavailableError(error: Error): boolean {
+  const message = error.message.toLowerCase();
+  return (
+    message.includes('no resource with given identifier') ||
+    message.includes('network.getresponsebody')
+  );
+}
+
 export function isTimeoutError(error: Error): boolean {
   return error.name === 'TimeoutError';
 }
@@ -126,6 +195,18 @@ export abstract class Service {
     throw new NoCurlCredentialsNotSupportedError(this.name);
   }
 
+  /**
+   * Build credentials from a parsed JSON payload for `latchkey auth prepare`.
+   *
+   * Optional, like `getSession`/`refreshCredentials`: services opt in by
+   * implementing it (typically via `buildPreparedCredentials` with a Zod
+   * schema). When a service does not implement it, prepare is "not supported"
+   * — the default that lets every service stay closed until it declares a
+   * schema. Implementations validate `parsedJson` and throw
+   * `PrepareInputInvalidError` on mismatch.
+   */
+  prepareFromJson?(parsedJson: unknown): ApiCredentials;
+
   /**
    * Get a new session for the login flow.
    * Services that don't support browser login should not implement this method.